SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The privacy and cybersecurity concerns of driving AVs in NZ
Tue, 19th Jul 2022
FYI, this story is more than a year old

There's a lot of debate to be had about automated vehicles. For many, the most immediate concern of driverless cars might be their physical safety, but there's a lot more at stake.

While automated vehicles (AVs) are highly advanced digital systems, like all computers, they are vulnerable to cyber attacks. Throw data privacy into the mix, and you have a lot of serious considerations that need safeguards. In May, the Ministry of Transport released the second draft of its Long-Term insights Briefing plan on automated vehicles (AVs). It looked at the impact automated vehicles could have on the transport system. There have now been two rounds of consultation, and the final version is expected to be released towards the end of this year.

So are we up to speed on this technology in New Zealand?

AVs in Aotearoa

New Zealand uses the International Standard J3016, developed by the Society of Automotive Engineers (SAE). According to the standard, there are different levels of automation, where zero means none at all and five means fully automated or driverless vehicles. The Ministry of Transport (Te Manatū Waka) says New Zealand has still yet to regulate AVs for levels three to five.

Currently, there are only vehicles with advanced driver-assistance systems (ADAS), such as automatic emergency braking roads, which is up to SAE level two. The ministry's strategic policy and innovation delivery lead Alec Morrison says the shift from level two to three is significant.

"Level three requires the driver to alternate between the role of an active driver in control of the entire driving task to monitoring the system and being ready to take back control at short notice," he says.

"It presents unique challenges regarding legal liability, in the instances of a collision incident, and safety - where the driver has the added complexity of alternating between roles.

Morrison says in terms of higher levels of vehicle automation beyond level 3, New Zealand experiences a lag in vehicle technology.

"We import all our vehicles from overseas. The types of vehicles we might see will be impacted by these supply chains, but also driven by regulatory settings, compliance regimes and consumer demand," he says.

Hacking into an AV

The Ministry of Transport says AVs may pose new and complex data privacy and cybersecurity risks that could increase as vehicles become progressively more automated and connected to an increasing number of external networks or platforms. In addition, the reliance on digital software could increase the number of vehicles impacted by a single software failure. Morrison says the ministry has not yet undertaken detailed work on cybersecurity concerns for AVs in New Zealand, but current key considerations include:

  • The security of AV software systems

Morrison says security will become synonymous with safety. The risk to safety includes the risk that software systems could be tampered with or fail. Systems could also be hacked remotely, from any location geographically, potentially impacting an entire fleet of vehicles.

"Hackers could either take control of the vehicle or shut down the network entirely (potentially for ransom). Vehicle hacking may become very lucrative as the number of AVs increase on the roads," says Morrison.

"There have already been claimed instances of remote vehicle hacking overseas. There will also be growing concerns around whether different generations of AVs remain secure throughout their lifetime."

There's the question of whether software systems will continue to be supported if the company goes out of business or the vehicle's hardware systems can no longer support the software updates. Moreover, while cybersecurity standards are being developed at the international level (mainly for manufacturers to adhere to), Morrison says this will remain an ongoing risk as new vehicle systems are developed and deployed.

  • Security standards

Another factor is that different manufacturers will likely have different security standards and pose different cybersecurity risks when entering the New Zealand fleet. Morrison says New Zealand will need to agree on the standard it wants and impose it on all new and used vehicle imports.

  • Storing information

AVs will collect and store a vast amount of information. This information will be collected from sensors and cameras to support the ADS (automated driving system) undertaking the driving function. Morrison says personal information will also be collected to improve the user experience for those using AVs. Ensuring all this remains private and secure is a crucial consideration for the government. He says there is legislation around collecting and using data in New Zealand and sharing personal information.

The Privacy Act 2020 outlines a framework for protecting an individual's right to privacy of personal information. It also gives effect to internationally recognised privacy obligations and standards concerning the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights.

"Questions remain around who owns the vehicle's data, and how can individuals be assured the data is not being used for purposes other than what it was intended for," says Morrison.

Canterbury associate professor Christoph Bartneck researches human-robot interaction, and he says although the hacking of AVs with the intent of causing bodily harm is a possibility, it shouldn't be overly emphasised.

"We've seen this in movies like The Fast and Furious series, people take over a fleet of AVs and control them and crash them. But the question really, is that something that we need to be worried about?" he asks.

"You could kill somebody like that, okay. But there are much easier ways of killing somebody. So is that really the most realistic threat that we have to deal with?"

But he says the privacy considerations are concerning, and it's not even about hacking - it's about what kind of information the car manufacturer can keep on its customers. Bartneck points to technology that is seen in AVs like Tesla. There are built-in cameras facing the driver, and when it's switched on, the idea is that it tracks the face to ensure that the person is paying attention to the road. Bartneck says even though technically the person isn't driving, the car is doing that, they still need to pay attention.

"Tesla now requires people, when they want to use the autopilot system, that they agree for Tesla to get access to all recordings in case of a crash," he says.

"We are having the first lawsuits now. So there's a lawsuit in LA, where essentially person driving a Tesla with autopilot ran a red light crashed into another car, two people died."

"The driver says 'Well, it wasn't me I didn't do it, the autopilot was in control.' If Telsa has to assume responsibility for all the traffic accidents, that's very, very dangerous and potentially also very expensive. So they now require access to all the recordings so that they can prove it wasn't them."

Bartneck says Telsa also offers car insurance, which makes the situation even more concerning.

"Let's assume the case that you've got car insurance with Tesla, they've got access to the videos. Let's say a traffic accident happens, maybe the car misbehaves and then you are totally in the hands of Tesla because how are you going to prove them wrong?" he says.

"It's a terrible, terrible mess."

The associate professor says many AV manufacturers can be cagey about sharing information regarding crashes. For example, Bartneck says he was stonewalled when he tried contacting one company in Singapore about their test results.

"We asked them well, you've got this testing setup, can we get please access to the information? What happened? How many kilometers are driven? How many crashes did you have? No access, absolutely gone. The only way that you can get it is through police reports," he says.

The next steps for Aotearoa

The ministry says exact timeframes for when we will see level three to five AVs on the roads in New Zealand are unclear.

It says AVs will require robust and tested systems to ensure that they are both resilient and secure in the face of cyber and physical threats. New Zealand will also need a clear national cybersecurity framework to reduce the points of vulnerability across the network. Morrison says Aotearoa will need to develop regulations around third-party apps and aftermarket modifications and the requisite liability if there is a system breach.

The ministry says in the future, AVs could have security ratings (like safety ratings now) for AV models with different levels of software encryption. This would assure those who want to use AVs as an office while commuting to work that their information and network connection is secure.

"New Zealand will continue to leverage off other jurisdictions and international bodies (like the UN), as well as other sectors or industries that have navigated similar issues," says Morrison.

But Bartneck says the government has been too slow off the ground with AVs and is just being reactive to the market.

"I would say New Zealand is sleeping at the wheel when it comes to AVS. They've started to respond now to a situation when they should have been on to it actually, a long time ago," he says.

Bartneck points to companies like Ohmio, which has been trialling and experimenting with AVs in New Zealand for quite some time. He says in 2017, the company wanted to move their little minibus manufacturing from China to New Zealand. Instead, they signed a $20 million deal in 2018 to leave all the manufacturing in China. The ministry says Ohmio has run trials of a level four AV shuttle service in Christchurch, but there haven't been any higher levels of automation on New Zealand roads to date.

Morrison says the transport system is currently facing immense pressure from significant issues, including:

  • Climate change (transport is responsible for 39% of Aotearoa's total domestic carbon dioxide (CO2) emissions, and 17% of gross emissions.
  • Road safety (Aotearoa has some of the worst deaths and serious injuries statistics in the OECD).
  • Ensuring an efficient and resilient supply chain in the face of broader pressures e.g., pandemics, global political unrest, driver shortages etc.

"While AVs have the potential to significantly change the transport system in the future, there are not currently any vehicles beyond those with ADAS on our roads (i.e., Level 2 automation)," says Morrison.

"For this reason, the government has been prioritising the challenges. Resourcing and attention are largely being funnelled to more immediate challenges as it is harder to gain traction on an issue where timeframes and exact risks and opportunities are unclear."